This section contains the following topics:
Functions Available within Expressions
All constant data is one of three main literal data types: strings, numbers, or Booleans. The string data type includes two sub-types: sets and LDAP distinguished names. The number data type includes one sub-type: dates. All functions and operations result in one of these types or their sub-types.
In addition to the literal data types, there are data types that function as variables:
Strings
Strings represent character data as a string of zero or more characters enclosed by a pair of single or double quotes. String values are constants that can be manipulated by the built-in operators and functions. For example, strings can be converted to another data type or concatenated.
Strings that start with an optional positive or negative sign and contain the characters "0" through "9" can be converted to number values. The strings "TRUE" and "YES" (or "true" and "yes") can be converted to the Boolean value TRUE. All other string values are converted to FALSE. Two strings can be concatenated. In concatenation, the beginning of the second string is joined to the end of the first string.
Sets and LDAP distinguished names (DNs) are special cases of the string data type. A set is a string of elements that are separated by the caret character, for example, 'element1^element2'. Each element in the set is a string.
An LDAP DN is a simple string that uniquely identifies an entry in an LDAP directory and whose format is defined by the LDAP specification.
Numbers
Numbers must be integers or whole numbers with an optional leading positive or negative sign. Four-byte integers are supported or whole numbers that range from -231 to 231. Decimal points are ignored. Number values are constants that can be manipulated by the built-in operators and functions. For example, numbers can be converted to another data type.
Numbers can be converted to strings that start with an optional negative sign and contain only the characters "0" through "9". Numbers can also be converted to Boolean values. Non-zero numbers are converted to TRUE; zero is converted to FALSE.
Dates are a special case of the number data type. They are represented as the number of seconds that have passed since January 1, 1970.
There are numerous functions that manipulate dates. For example, the DOW function accepts the numeric representation of a date and returns a number in the range 0-6 that corresponds to a day of the week. There are also functions that convert a date in string format to a number and a number representation of a date to a string.
Booleans
Booleans are one of two values: TRUE or FALSE. Boolean values are constants that can be compared and manipulated by the built-in operators and functions. For example, Booleans can be converted to another data type.
When a Boolean value is converted to a number value, TRUE is converted to 1, and FALSE is converted to 0. When a Boolean value is converted to a string value, TRUE is converted to "TRUE" and FALSE is converted to "FALSE".
User Attributes
User attributes have names and values. User attribute names are unquoted. User attribute values are strings and are quoted. User attribute names must conform to the following rules:
A user attribute name functions as a variable data type, not as a literal. When a user attribute name is encountered, the corresponding attribute value is retrieved from the user directory. When an attribute has multiple values, they are returned as a set. A set is a string of elements separated by the caret character, for example, 'value1^value2'. Each element in the set is a string.
Named Expressions
There are two types of named expressions: virtual user attributes and user classes.
Virtual user attributes differ from user attributes. Unlike user attributes, which are stored in the user directory as strings, virtual user attributes name expressions that are calculated at runtime and that result in a string, number, or Boolean value. Also unlike user attributes, virtual user attributes are read-only.
User classes are a special case of virtual user attributes. Like virtual user attributes, user classes name expressions that are calculated at runtime. Unlike virtual user attributes, user classes name expressions that test membership in a user group or directory and that result in a Boolean value only.
Both virtual user attribute names and user class names must conform to the following rules:
Note: Active expressions and named expressions are not the same. While both types of expressions are evaluated at run-time, they differ in the following ways:
The syntax described in this appendix belongs to an internal CA SiteMinder® expression evaluator. You can use the data types, operators, and built-in functions that comprise this syntax in expressions, when you define Roles or Entitlements in the Administrative UI. An unnamed expression is local to the particular Role or Entitlement that you are defining, or you can use named expressions, which are defined globally.
Named expressions include virtual user attributes (whose names begin with #) and user classes (whose names begin with @).
A virtual user attribute calculates a value when the required information cannot be read directly from a user's directory entry. Virtual user attributes return a string, number, or Boolean value. For example, if you wanted to format name information so that it could be used frequently for sorting, you could define a virtual user attribute called #SortName in the user interface as follows:
UCase(RTrim(LastName + "," + FirstName + " " + Initial))
This example uses two built-in functions, UCASE and RTRIM. Note that these name are not case sensitive.
A user class is an expression that determines whether a user belongs to a particular category based on user type, such as a manager or an administrator. A user is either a member of a particular user class or not, so the result of a user class expression is always Boolean.
When you define a virtual user attribute or user class, you can specify that it is private, which means that it can only be called from other named expressions. Similarly, some of the built-in functions are designated as privileged functions, which means that they can only be called from within another named expression. Privileged functions are noted in the Remarks section as "Privileged". Functions that accept one or more LDAP Distinguished Names as parameters are noted in the Remarks section as "LDAP Only".
Expressions can be stored as objects in the Policy Store, where they can be referenced by name from anywhere, including from other expressions. Any expression can pass values to a named expression through the placeholders %1 through %9 and the special placeholder %0. This is called pasting.
There are two types of named expressions: virtual user attributes and user classes. Virtual user attribute names start with a pound sign, and user class names start with an at sign. Both types of named expressions are followed by up to nine parameters. The syntax is similar to the syntax of a function:
#virtual_user_attribute(P1, P2, P3, P4, P5, P6, P7, P8, P9)
@user_class(P1, P2, P3, P4, P5, P6, P7, P8, P9)
When creating a named expression in the Policy Store, you can use built-in operators and functions, the literal data types, the placeholders, and other named expressions. Use the placeholders to pass variable data to the named expression. In the following example, the URL is updated during each iteration and thus, must be represented by the placeholder %1.
Example:
You can create a virtual attribute named #URLFile that accepts a URL and returns a filename:
#URLFile := { FIND(%1, '/')=0 ? %1 : #URLFile(AFTER(%1, '/')) }
Return_value=#URLFile('C:\My Documents\expression_syntax.doc') Return_value='expression_syntax.doc'
In this example, the URL is passed to the built-in function FIND through the placeholder %1. FIND finds the first instance of "/" in the URL and returns its position. If "/" is not found, FIND returns 0 and #URLFile returns the filename. Otherwise, the URL is passed to the built-in function AFTER through the placeholder %1. AFTER returns that part of the URL that follows "/". The shortened URL is then passed to #URLFile. Recursion is supported.
The following table shows the values of the position and the URL at the completion of each iteration in this example:
Iteration |
Position |
URL |
---|---|---|
1 |
3 |
'My Documents\expression_syntax.doc' |
2 |
16 |
'expression_syntax.doc' |
When certain built-in functions, such as ENUMERATE or LOOP, call a named expression multiple times, once for each element in a set, the named expression must be created using the special placeholder %0. For example, you can create an expression named #RTrimset that removes trailing spaces from any number of set elements:
#RTrimset := RTrim(%0)
Then, you can pass a set to #RTrimset through the built-in function ENUMERATE:
Return_value=ENUMERATE('First_name ^Middle_name ^Last_name ',#RTrimset) Return_value='First_name^Middle_name^Last_name'
In this example, the set consists of three elements: the first, middle, and last names. ENUMERATE passes each name to #RTrimset. #RTrimset removes the trailing spaces and returns the shortened name to ENUMERATE. ENUMERATE includes each returned name in the resulting string and uses the caret character to separate them.
This topic lists all supported operators by category.
Comparative Operators
String Operators
Set Operators
Logical Operators
Arithmetic Operators
Miscellaneous Operator
The equality operator (=) compares two values. If the values are equal, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE. If the two values are strings, the operation is case-sensitive.
The equality operator (~=) only compares string values and is not case-sensitive.
Examples:
1 = 1
Result = TRUE
1 = 2
Result = FALSE
"sparrow" = "SPARROW"
Result = FALSE
"sparrow" ~= "SPARROW"
Result = TRUE
The inequality operator (!=) compares two values. If the values are not equal, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE. If the two values are strings, the operation is case-sensitive.
The inequality operator (~!=) only compares string values and is not case-sensitive.
Examples:
1 != 1
Result = FALSE
1 != 2
Result = TRUE
"sparrow" != "SPARROW"
Result = TRUE
"sparrow" ~!= "SPARROW"
Result = FALSE
The less-than operator (<) compares two values. If the first value is less than the second value, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE. If the two values are Boolean, TRUE is greater than FALSE. If the two values are strings, the operation is case-sensitive.
The less-than operator (~<) only compares string values and is not case-sensitive.
Examples:
1 < 2
Result = TRUE
2 < 1
Result = FALSE
'crow' < 'CROW'
Result = FALSE
'crow' ~< 'CROW'
Result = FALSE
The greater-than operator (>) compares two values. If the first value is greater than the second value, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE. If the two values are Boolean, TRUE is greater than FALSE. If the two values are strings, the operation is case-sensitive.
The greater-than operator (~>) only compares string values and is not case-sensitive.
Examples:
1 > 2
Result = FALSE
2 > 1
Result = TRUE
'crow' > 'CROW'
Result = TRUE
'crow' ~> 'CROW'
Result = FALSE
The less-than or equal-to operator (<=) compares two values. If the first value is less than or equal to the second value, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE. If the two values are Boolean, TRUE is greater than FALSE. If the two values are strings, the operation is case-sensitive.
The less-than or equal-to operator (~<=) only compares string values and is not case-sensitive.
Examples:
1 <= 2
Result = TRUE
2 <= 1
Result = FALSE
'junco' <= 'JUNCO'
Result = FALSE
'junco' ~<= 'JUNCO'
Result = TRUE
The greater-than or equal-to operator (>=) compares two values. If the first value is greater than or equal to the second value, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE. If the two values are Boolean, TRUE is greater than FALSE. If the two values are strings, the operation is case-sensitive.
The greater-than or equal-to operator (~>=) only compares string values and is not case-sensitive.
Examples:
1 >= 2
Result = FALSE
2 >= 1
Result = TRUE
'junco' >= 'JUNCO'
Result = TRUE
'junco' ~>= 'JUNCO'
Result = TRUE
The two begins-with operators (BEGINS_WITH and ~BEGINS_WITH) are designed to be used with string values. If the first string begins with the second string, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE.
The "BEGINS_WITH" operator is case-sensitive. The "~BEGINS_WITH" operator is not case-sensitive.
Examples:
'SiteMinder' BEGINS_WITH 'site'
Result = FALSE
'SiteMinder' ~BEGINS_WITH 'site'
Result = TRUE
The two ends-with operators (ENDS_WITH and ~ENDS_WITH) are designed to be used with string values. If the first string ends with the second string, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE.
The "ENDS_WITH" operator is case-sensitive. The "~ENDS_WITH" operator is not case-sensitive.
Examples:
'SiteMinder' ENDS_WITH 'DER'
Result = FALSE
'SiteMinder' ~ENDS_WITH 'DER'
Result = TRUE
The two containment operators (CONTAINS and ~CONTAINS) are designed to be used with string values. If the first string contains the second string, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE.
The "CONTAINS" operator is case-sensitive. The "~CONTAINS" operator is not case-sensitive.
Examples:
'SiteMinder' CONTAINS 'EMI'
Result = FALSE
'SiteMinder' ~CONTAINS 'EMI'
Result = TRUE
The set inclusion operators (IN and ~IN) test whether the first operand, a string, is an element of the second operand, a set. If the string is an element of the set, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE.
The IN operator is case-sensitive. The ~IN operator is not case-sensitive.
Examples:
'MON' IN 'Sun^Mon^Tue^Wed^Thu^Fri^Sat'
Result = FALSE
'MON' ~IN 'Sun^Mon^Tue^Wed^Thu^Fri^Sat'
Result = TRUE
The pattern matching operator LIKE compares a string value to a pattern of characters that is also a string, for example, 'abc' LIKE '???'. If the string value matches the pattern, the result of the operation is TRUE. Otherwise, the result of the operation is FALSE. The pattern matching operation is case-sensitive.
Patterns are created by combining single characters, character ranges, or both. Character ranges are specified by concatenating the first character in the range, a hyphen, and the last character in the range, for example, 0-9. Valid characters include numbers, uppercase and lowercase letters, and reserved characters that have special meanings. Character sets contain one or more characters, character ranges, or both and are enclosed by square brackets. For example, [0-9A-Za-z], [0-2ABC], and [789x-z] are all valid character sets.
Note: Character ranges are always part of a character set.
The following table lists the reserved characters and their meanings:
Character |
Meaning |
---|---|
' or " |
Specifies a string, such as 'abc' or "abc" |
- |
Specifies a range of characters, such as 0-9 |
? |
Matches any single character |
* |
Matches any sequence of characters, including one or none |
[set] |
Matches any single character in the specified set |
[!set] or [^set] |
Matches any single character not in the specified set |
[set]? |
Matches any single character in the specified set or an empty string |
[set]* |
Matches any sequence of characters in the specified set, including one or none |
\ |
Treats any reserved character as a regular character, such as \* |
Examples that use '?'
'' LIKE '?'
Result = FALSE
'a' LIKE '?'
Result = TRUE
'ab' LIKE '?'
Result = FALSE
'abc' LIKE '???'
Result = TRUE
'191' LIKE '1??'
Result = TRUE
'201' LIKE '1??'
Result = FALSE
Examples that use '*'
'' LIKE '*'
Result = TRUE
'a' LIKE '*'
Result = TRUE
'a1b2c3' LIKE '*'
Result = TRUE
'robin' LIKE 'r*n'
Result = TRUE
'room' LIKE 'r*n'
Result = FALSE
Examples that use '[set]'
'' LIKE '[abcde]'
Result = FALSE
'f' LIKE '[abcde]'
Result = FALSE
'c' LIKE '[abcde]'
Result = TRUE
'abc' LIKE '[abcde]' Compare: 'abc' LIKE '[abcde]*'
Result = FALSE
Examples that use '[!set]' or '[^set]'
'' LIKE '[!abcde]'
Result = FALSE
'f' LIKE '[^abcde]'
Result = TRUE
'c' LIKE '[!abcde]'
Result = FALSE
'xyz' LIKE '[^abcde]'
Result = FALSE
Examples that use '[set]?'
'' LIKE '[abcde]?'
Result = TRUE
'a' LIKE '[abcde]?'
Result = TRUE
'ab' LIKE '[abcde]?'
Result = FALSE
'z' LIKE '[abcde]?'
Result = FALSE
Examples that use '[set]*'
'' LIKE '[abcde]*'
Result = TRUE
'a' LIKE '[abcde]*'
Result = TRUE
'aabbccddee' LIKE '[abcde]*'
Result = TRUE
'abcdef' LIKE '[abcde]*'
Result = FALSE
'abc' LIKE '[abcde]*' Compare: 'abc' LIKE '[abcde]'
Result = TRUE
Examples that use '\'
'123-456-7890' LIKE '[0-9][0-9][0-9]\-[0-9][0-9][0-9]\-[0-9][0-9][0-9][0-9]'
Result = TRUE
'_!_^_*_?_' LIKE '_\!_\^_\*_\?_'
Result = TRUE
Examples that test case-sensitivity
'a' LIKE '[a-z]'
Result = TRUE
'A' LIKE '[a-z]'
Result = FALSE
'A' LIKE '[A-Za-z]'
Result = TRUE
'Robin' LIKE '[A-Za-z]*'
Result = TRUE
'Robin' LIKE '[A-Z][a-z]*'
Result = TRUE
'robin' LIKE '[A-Z][a-z]*'
Result = FALSE
The set intersection operators (INTERSECT and ~INTERSECT) compare two sets. Sets are strings of elements separated by the caret character. The resulting set is a string that contains only those elements present in both sets. The INTERSECT operator is case-sensitive. The ~INTERSECT operator is not case-sensitive.
Important! The sequence of elements in the resulting set is not predictable. When the operation is not case-sensitive, the case of elements in the resulting set is also not predictable.
Examples:
'BLUE JAY^ORIOLE^WREN' INTERSECT 'BLUE JAY^wren'
Result = 'BLUE JAY'
'BLUE JAY^ORIOLE^WREN' ~INTERSECT 'BLUE JAY^wren'
Result = 'BLUE JAY^WREN'
The set union operator (UNION) returns a set containing all unique elements of the two operand sets (the union of the two sets). Duplicate elements are removed.
If the tilde character (~) precedes the UNION operator (~UNION), then two elements that differ only in case are considered identical.
Important! The sequence of the resulting set is not predictable. Also, if the ~UNION operator is specified, the case of a resulting intersecting element is not predictable.
Examples:
"JUAN^BART^CHUCK" UNION "CHUCK^Bart"
Result = "JUAN^BART^CHUCK^Bart"
"JUAN^BART^CHUCK" ~UNION "CHUCK^Bart"
Result = "JUAN^BART^CHUCK"
"JUAN^BART^JUAN^CHUCK" UNION "JUAN^BART^JUAN^CHUCK"
Result = "JUAN^BART^CHUCK"
The NOT operator takes a single Boolean operand and reverses its value. It changes FALSE to TRUE and TRUE to FALSE. Note that this operator is usually used to reverse the result of a comparison operator.
Examples:
NOT ("SiteMinder" ENDS_WITH "R")
Result = TRUE
NOT ("SiteMinder " ~ENDS_WITH "R")
Result = FALSE
The AND operator (also written & and &&) takes two Boolean operands and returns TRUE if both operands are TRUE. Note that this operator is usually used to connect two comparisons.
The evaluator does not evaluate the second Boolean operand if the first one is FALSE (since the result must be FALSE).
Examples:
(1 > 2) AND ("JUAN" ~= "JUAN")
Result = FALSE
(1 < 2) AND ("JUAN" ~= "JUAN")
Result = TRUE
The OR operator (also written | or ||) takes two Boolean operands and returns TRUE if either operand is TRUE. Note that this operator is usually used to connect two comparisons.
The evaluator does not evaluate the second Boolean operand if the first one is TRUE (since the result must be TRUE already).
Examples:
(1 > 2) OR ("JUAN" ~= "JUAN")
Result = TRUE
(1 < 2) OR ("JUAN" ~= "JUAN")
Result = TRUE
The exclusive OR (XOR) operator takes two Boolean operands and returns TRUE if either operand is TRUE, but not both. This operator is usually used to connect two comparisons.
Examples:
(1 > 2) XOR ("JUAN" ~= "JUAN")
Result = TRUE
(1 < 2) XOR ("JUAN" ~= "JUAN")
Result = FALSE
The string concatenation operator (+) returns a string that contains the combination of its two string operands.
If the first operand is a string, but the second is a number or a Boolean, the second operand is converted to a string. If the first operand is a number, the operator (+) indicates arithmetic addition, not concatenation.
Examples:
"JUAN" + " " + "Jones"
Result = "JUAN Jones"
"JUAN" + 2
Result = "JUAN2"
The arithmetic addition (+) operator returns the sum of two numeric operands.
If the first operand is a number, but the second is a string or a Boolean, the second operand is converted to a number.
Examples:
1 + 2
Result = 3
1 + "JUAN"
Result = 1
1 + "32JUAN"
Result = 33
The arithmetic subtraction (-) operator returns the difference between two numeric operands.
If the first operand is a number, but the second is a string or a Boolean, the second operand is converted to a number.
Examples:
1 - 2
Result = -1
1 - "JUAN"
Result = 1
100 - "32JUAN"
Result = 68
The arithmetic multiplication (*) operator returns the product of two operands.
If the first operand is a number, but the second is a string or a Boolean, the second operand is converted to a number.
Examples:
1 * 2
Result = 2
1 * "JUAN"
Result = 0
100 * "32JUAN"
Result = 3200
The arithmetic division operator (/) returns the quotient of two operands.
If the first operand is a number, but the second is a string or a Boolean, the second operand is converted to a number.
All division is integer division.
Note: Division by zero, which is arithmetically undefined, always results in an error in this environment.
Examples:
1 / 2
Result = 0
1 / "JUAN"
Result = 0
100 / "32JUAN"
Result = 3
The conditional operator evaluates a Boolean expression (the first operand) and based on the result returns one of two other operands.
If the Boolean operand is TRUE, the result of the operator is the second operand (the THEN clause), otherwise the third operand is returned (the ELSE clause). The second and the third operand must be the same type.
Only one clause of this operator is ever evaluated. In other words, if the THEN clause (operand) is evaluated, the ELSE clause (operand) is not evaluated. (And the opposite is also true.)
Examples:
"JUAN" = "juan" ? "YES" : "NO"
Result = "NO"
"JUAN" ~= "juan" ? "YES" : "NO"
Result = "YES"
The indexing operator takes two arguments: a set and a number (the index). The set is broken into components and the component corresponding to the specified index is returned (like a traditional array). If the index is out of range, a blank string is returned.
The first element in the set is at index zero (0).
Examples:
"Sun^Mon^Tue^Wed^Thu^Fri^Sat"[2]
Result = "Tue"
"Sun^Mon^Tue^Wed^Thu^Fri^Sat"[0]
Result = "Sun"
This topic lists all of the functions by area of utility.
Numeric Functions
String Functions
Set Functions
Date Functions
Conversion Functions
Generic User Directory I/O Functions
LDAP Functions
URL/Path Handling Functions
Logging Functions
File I/O Functions
Error Handling Functions
Miscellaneous Functions
The ABOVE function returns a TRUE if the specified user (user_DN) exists within a container that is above the specified container (root_DN).
The ABOVE function has the following format:
ABOVE(root_DN, user_DN)
The ABOVE function accepts the following parameters:
root_DN (string)
user_DN (string)
The ABOVE function returns a Boolean value.
LDAP Only: Yes
The ABS function finds the absolute value of a number.
The ABS function has the following format:
ABS(number)
The ABS function accepts the following parameter:
number (number)
The ABS function returns a number.
Return_value=ABS(3)
Return_value=3
Return_value=ABS(-2)
Return_value=2
The AFTER function finds the specified instance of a search string in a source string and returns that part of the source string that follows the search string. If the search string is not found, then the AFTER function returns a blank string.
The AFTER function has the following format:
AFTER(source_string, search_string[, not_case_sensitive][, n])
The AFTER function accepts the following parameters:
source_string (string)
search_string (string)
not_case_sensitive (Boolean)
(Optional) Specifies case sensitivity. If the not_case_sensitive flag is omitted or set to FALSE, the function searches the source string for an exact match. If the not_case_sensitive flag is set to TRUE, the function ignores case.
n (number)
(Optional) Specifies the instance of the search string in the source string. If n is set to zero or one or omitted, the function finds the first instance of the search string. Otherwise, the function finds the nth instance of the search string. If n is negative, the function begins the search at the end of the source string.
The AFTER function returns a string.
Return_value=AFTER('EricEric', 'r')
Return_value='icEric'
Return_value=AFTER('EricEric', 'R')
Return_value=''
Return_value=AFTER('EricEric', 'R', TRUE)
Return_value='icEric'
Return_value=AFTER('EricEric', 'r', -1)
Return_value='ic'
Return_value=AFTER('EricEric', 'R', -1)
Return_value=''
Return_value=AFTER('EricEric', 'R', TRUE, -1)
Return_value='ic'
Return_value=AFTER('EricEric', 'r', 2)
Return_value='ic'
Return_value=AFTER('EricEric', 'R', 2)
Return_value=''
Return_value=AFTER('EricEric', 'R', TRUE, 2)
Return_value='ic'
The ALL function accepts two numbers and returns a TRUE if all of the bits that are set in the second number are also set in the first number.
The ALL function has the following format:
ALL(number1, number2)
The ALL function accepts the following parameters:
number1 (number)
number2 (number)
The ALL function returns a Boolean value.
Return_value=ALL(7, 2)
Return_value=TRUE
Return_value=ALL(7, 15)
Return_value=FALSE
The ANDBITS function performs a bitwise AND operation on two numbers.
The ANDBITS function has the following format:
ANDBITS(number1,number2)
The ANDBITS function accepts the following parameters:
number1 (number)
number2 (number)
The ANDBITS function returns a number.
Return_value=ANDBITS(7,2)
Return_value=2
Return_value=ANDBITS(7,15)
Return_value=7
The ANY function accepts two numbers and returns a TRUE if any of the bits that are set in the second number are also set in the first number.
The ANY function has the following format:
ANY(number1, number2)
The ANY function accepts the following parameters:
number1 (number)
number2 (number)
The ANY function returns a Boolean value.
Return_value=ANY(7, 2)
Return_value=TRUE
Return_value=ANY(7, 15)
Return_value=TRUE
The AT function returns a TRUE if the specified user (user_DN) exists within the specified container (root_DN).
The AT function has the following format:
AT(root_DN, user_DN)
The AT function accepts the following parameters:
root_DN (string)
user_DN (string)
The AT function returns a Boolean value.
LDAP Only: Yes
The BEFORE function finds the specified instance of a search string in a source string and returns that part of the source string that precedes the search string. If the search string is not found, then the BEFORE function returns the entire source string.
The BEFORE function has the following format:
BEFORE(source_string, search_string[, not_case_sensitive][, n])
The BEFORE function accepts the following parameters:
source_string (string)
search_string (string)
not_case_sensitive (Boolean)
Specifies case sensitivity. If the not_case_sensitive flag is set to FALSE or omitted, the BEFORE function searches the source string for an exact match. If the not_case_sensitive flag is set to TRUE, the function ignores case.
n (number)
Specifies the instance of the search string in the source string. If n is set to zero or one or omitted, the BEFORE function finds the first instance of the search string. Otherwise, the function finds the nth instance of the search string. If n is negative, the function begins the search at the end of the source string.
The BEFORE function returns a string.
Return_value=BEFORE('EricEric', 'r')
Return_value='E'
Return_value=BEFORE('EricEric', 'R')
Return_value='EricEric'
Return_value=BEFORE('EricEric', 'R', TRUE)
Return_value='E'
Return_value=BEFORE('EricEric', 'r', -1)
Return_value='EricE'
Return_value=BEFORE('EricEric', 'R', -1)
Return_value='EricEric'
Return_value=BEFORE('EricEric', 'R', TRUE, -1)
Return_value='EricE'
Return_value=BEFORE('EricEric', 'r', 2)
Return_value='EricE'
Return_value=BEFORE('EricEric', 'R', 2)
Return_value='EricEric'
Return_value=BEFORE('EricEric', 'R', TRUE, 2)
Return_value='EricE'
The BELOW function returns a TRUE if the specified user (user_DN) exists within a container that is below the specified container (root_DN)
The BELOW function has the following format:
BELOW(root_DN, user_DN)
The BELOW function accepts the following parameters:
root_DN (string)
user_DN (string)
The BELOW function returns a Boolean value.
LDAP Only: Yes
The BOOLEAN function converts a number or string value to a string value of either "TRUE" or "FALSE". Numeric values of zero are converted to "FALSE". All other numeric values are converted to "TRUE". String values of "true" or "yes" are converted to "TRUE". All other string values are converted to "FALSE". The BOOLEAN function is not case-sensitive.
The BOOLEAN function has the following format:
BOOLean(number | string)
The BOOLEAN function accepts either one of the following two parameters:
number (number)
string (string)
The BOOLEAN function returns one of the following string values:
Return_value=BOOLEAN('Phoebe')
Return_value="FALSE"
Return_value=BOOLEAN('Yes')
Return_value="TRUE"
Return_value=BOOLEAN(123)
Return_value="TRUE"
Return_value=BOOLEAN(0)
Return_value="FALSE"
The CHAR function converts the specified ASCII value to a one-character string.
The CHAR function has the following format:
CHaR(ASCII_value)
The CHAR function accepts the following parameter:
ASCII_value (number)
Specifies the ASCII value. If the ASCII_value is zero, the function returns an empty string. If the ASCII_value is greater than 255, the function converts the modulus 256 of the ASCII_value to a one-character string.
Note: Performing a modulus 256 on a value is equivalent to performing a bitwise AND with 255.
The CHAR function returns a one-character string.
Return_value=CHAR(0)
Return_value=''
Return_value=CHAR(36)
Return_value='$'
Return_value=CHAR(299)
Return_value='+'
The CENTER function pads both ends of a source string with a specified character until the resulting string is a specified length. If the padding is uneven, the function adds an extra character to the end of the string.
The CENTER function has the following format:
CENTER(source, length[, padding])
The CENTER function accepts the following parameters:
source (string or number)
Specifies the source string. The function automatically converts a number to a string.
length (number)
Specifies the length of the resulting string.
padding (string)
(Optional) Specifies the character that the function uses to pad the source string.
The CENTER function returns a string.
Return_value=CENTER('Robin', 9, '*')
Return_value='**Robin**'
Return_value=CENTER('Robin', 7, 'ooo')
Return_value='oRobino'
Return_value=CENTER('Robin', 7, '')
Return_value='Robin'
Return_value=CENTER('Robin', 11)
Return_value=' Robin'
Return_value=CENTER(123, 9)
Return_value='000123000'
The COMMONDN function returns the common root of two LDAP distinguished names (DNs) without calling an LDAP server.
The COMMONDN function has the following format:
COMMONDN(ldapdn1, ldapdn2)
The COMMONDN function accepts the following parameters:
ldapdn1 (string)
Specifies an LDAP distinguished name (DN).
ldapdn2 (string)
Specifies an LDAP distinguished name (DN).
Note: If either ldapdn1 or ldapdn2 is not a valid LDAP DN or if the two DNs do not share a common root, the function returns an empty string. An LDAP DN is not case-sensitive.
The COMMONDN function returns a string.
LDAP Only: Yes
Return_value=COMMONDN('uid=Vincent,o=NDS.com', 'ou=People,o=nds.com')
Return_value='o=NDS.com'
The COUNT function counts the number of elements in a set.
The COUNT function has the following format:
COUNT(set[, case_sensitive])
The COUNT function accepts the following parameters:
set (string)
Specifies a string of elements that are separated by the caret character: 'element1^element2'. Each element is a string.
case_sensitive (Boolean)
(Optional) Specifies case sensitivity.
The COUNT function returns a number.
Return_value=COUNT('phoebe^PHOEBE^robin^robin')
Return_value=4
Return_value=COUNT('phoebe^PHOEBE^robin^robin', FALSE)
Return_value=2
Return_value=COUNT('phoebe^PHOEBE^robin^robin', TRUE)
Return_value=3
The DATE function (form 1) accepts a numeric representation of date and time and sets the time to midnight on the specified date.
The DATE function (form 1) has the following format:
DATE(date_time)
The DATE function (form1) accepts the following parameter:
date_time (number)
Specifies the date and time as the number of seconds that have passed since January 1, 1970. If date_time is not a valid representation of date and time, the function returns -1.
The DATE function (form1) returns a number.
The DATE function (form 2) accepts six numbers that represent the year, month, day, hours, minutes, and seconds and converts them to a numeric representation of date and time. Date and time are represented numerically as the number of seconds that have passed since January 1, 1970. If the three time parameters are omitted, the function sets the time to midnight on the specified date.
The DATE function (form 2) has the following format:
DATE(year, month, day[, hours, minutes, seconds])
The DATE function (form 2) accepts the following parameters:
year (number)
Specifies a four-digit representation of the year.
Example: 2007
month (number)
Specifies the month.
Range: 1-12
day (number)
Specifies the day.
Range: 1-31
hours (number)
(Optional) Specifies the number of hours.
Range: 0-23
minutes (number)
(Optional) Specifies the number of minutes.
Range: 0-59
seconds (number)
(Optional) Specifies the number of seconds.
Range: 0-59
The DATE function (form 2) returns a number.
The DATEFROMSTRING function accepts a string representation of a date, a time, or both and converts the string to a numeric representation. Date and time are represented numerically as the number of seconds that have passed since January 1, 1970.
The DATEFROMSTRING function has the following format:
DATEFROMSTRING(date_time[, format_string])
The DATEFROMSTRING function accepts the following parameters:
date_time (string)
format_string (string)
(Optional) Specifies the format of date_time. For example, the format_string "YYYYMMDD" specifies the format of "20020223." If the format_string is omitted, the function uses the default format of "YYYYMMDDhhmmss." If date_time is invalid, the function returns -1.
The DATEFROMSTRING function returns a number.
Return_value=DATEFROMSTRING('20020223')
Return_value=1024804800
The DATETOSTRING function accepts a numeric representation of a date, a time, or both and converts the number to a string representation.
The DATETOSTRING function has the following format:
DATETOSTRING(date_time[, format_string])
The DATETOSTRING function accepts the following parameters:
date_time (number)
Specifies a date, a time, or both as the number of seconds that have passed since January 1, 1970. If the date_time is invalid, the function returns the value "INVALID DATE".
format_string (string)
(Optional) Specifies the format of a date, a time, or both in the resulting string using the format codes listed in the table. Any characters or character combinations not listed in the table are inserted in the resulting string as is. If the format_string is omitted, the function formats the resulting string using the date and time representation appropriate for the locale that is currently stored in the Policy Server. The format codes and resulting formats are:
Code |
Resulting Format |
---|---|
%a |
Abbreviated weekday name (English) |
%A |
Full weekday name (English) |
%b |
Abbreviated month name (English) |
%B |
Full month name (English) |
%c |
Date and time representation appropriate for current locale |
%#c |
Long date and time representation appropriate for current locale |
%d |
Day of month as decimal number (01-31) |
%H |
Hour in 24-hour format (00-23) |
%I |
Hour in 12-hour format (01-12) |
%j |
Day of year as decimal number (001-366) |
%m |
Month as decimal number (01-12) |
%M |
Minute as decimal number (00-59) |
%P |
Local am and pm indicator for 12-hour clock |
%S |
Second as decimal number (00-59) |
%U |
Week of year as decimal number with Sunday as first day of week (00-53) |
%w |
Weekday as decimal number (0-6 with Sunday as 0) |
%W |
Week of year as decimal number with Monday as first day of week (00-53) |
%x |
Date representation appropriate for current locale |
%#x |
Long date representation appropriate for current locale |
%X |
Time representation appropriate for current locale |
%y |
Year without century as decimal number (00-99) |
%Y |
Year with century as decimal number |
%z, %Z |
Time-zone name or abbreviation if known |
%% |
Percent sign |
Note: The pound sign modifies the meaning of the format codes, as follows.
The DATETOSTRING function returns a string.
Return_value=DATETOSTRING(1024804800, '%Y%m%d')
Return_value='20020223'
Return_value=DATETOSTRING(1024804800, '%Y%#m%#d')
Return_value='2002223'
The DAY function accepts a numeric representation of date and time and returns the number corresponding to the day of the month.
The DAY function has the following format:
DAY(date_time)
The DAY function accepts the following parameter:
date_time (number)
Specifies the date and time as the number of seconds that have passed since January 1, 1970. If the date is invalid, the function returns -1.
The DAY function returns a number from 1 to 31.
Return_value=DAY(1024804800)
Return_value=23
The DOW function accepts a numeric representation of date and time and returns a number corresponding to the day of the week.
The DOW function has the following format:
DOW(date_time)
The DOW function accepts the following parameter:
date_time (number)
Specifies the date and time as the number of seconds that have passed since January 1, 1970. If the date is invalid, the function returns -1.
The DOW function returns a number from 0 (Sunday) to 6 (Saturday).
Return_value=DOW(1024804800)
Return_value=0
The DOY function accepts a numeric representation of date and time and returns a number corresponding to the day of the year.
The DOY function has the following format:
DOY(date_time)
The DOY function accepts the following parameter:
date_time (number)
Specifies the date and time as the number of seconds that have passed since January 1, 1970. If the date is invalid, the function returns -1.
The DOY function returns a number from 1 to 366.
Return_value=DOY(1024804800)
Return_value=173
The ENUMERATE function passes each element in the specified set to the named expression specified by the parameter #virtual_user_attribute or @user_class using pasting. If the named expression returns a value, the element is included in the resulting string.
The ENUMERATE function has the following format:
ENUMERATE(set, #virtual_user_attribute | @user_class)
The ENUMERATE function accepts the following parameters:
set (string)
Specifies a string of elements that are separated by the caret character: 'element1^element2'. Each element is a string.
#virtual_user_attribute (named expression)
Specifies a named expression that calculates a user attribute.
@user_class (named expression)
Specifies a named expression that tests for membership in a user directory or group.
The ENUMERATE function returns a string or integer depending on the attribute type that the function expects.
Virtual User Attribute #GetCN set to RDN( STRING(%0),FALSE)
ENUMERATE(SM_USERGROUPS, #GetCN)
ENUMERATE(SM_USERGROUPS, STRING(RDN(%0, FALSE)))
The ERROR function writes the specified error message to CA SiteMinder®'s Console Log.
The ERROR function has the following format:
ERROR(error_message)
The ERROR function accepts the following parameter:
error_message (string)
The ERROR function returns an empty string. When used in a Boolean context, the ERROR function returns the value TRUE.
Priviledged: Yes
Return_value=ERROR('Invalid Access')
Return_value=''
The EVALUATE function evaluates an expression in the context of the current user and returns the result as a string. If an optional user path is provided, the function evaluates the expression in the context of the specified user.
The EVALUATE function has the following format:
EVALUATE(expression)
The EVALUATE function accepts the following parameters:
expression (string)
Specifies the expression to be evaluated.
The EVALUATE function returns a string.
Privileged: Yes
Return_value=EVALUATE("sn + ',' + givenname")
Return_value="Hood, Robin"
The EXISTS function looks up the specified file and returns a TRUE if the file exists. Otherwise, the function returns a FALSE.
The EXISTS function has the following format:
EXISTS(filename)
The EXISTS function accepts a filename.
filename (string)
The EXISTS function returns a Boolean value.
Privileged: Yes
Return_value=EXISTS('SmUtilities.dll')
Return_value=TRUE
The EXPLODEDN function converts an LDAP distinguished name (DN) to a set without calling an LDAP server.
The EXPLODEDN function has the following format:
EXPLODED(ldapdn[, remove_attribute_names])
The EXPLODEDN function accepts the following parameters:
ldapdn (string)
Specifies an LDAP distinguished name (DN).
remove_attribute_names (Boolean)
(Optional) Specifies the remove_attribute_names flag. If the flag is TRUE, the function removes the attribute names from the LDAP distinguished name (DN).
The EXPLODEDN function returns a string of elements that are separated by the caret character: 'element1^element2'. Each element is a string.
LDAP Only: Yes
Return_value=EXPLODEDN('uid=hawk,o=NDS.com', FALSE)
Return_value='uid=hawk^o=NDS.com'
Return_value=EXPLODEDN('uid=hawk,o=NDS.com', TRUE)
Return_value='hawk^NDS.com'
The FILTER function compares each element in the specified set to the specified pattern and returns a new set containing only the elements that match the pattern. If the optional NOT operator is included, the FILTER function returns a new set containing only the elements that do not match the pattern.
The FILTER function has the following format:
FILTER(set, [NOT ]pattern)
The FILTER function accepts the following parameters:
set (string)
Specifies a string of elements that are separated by the caret character: 'element1^element2'. Each element is a string.
pattern (string)
Specifies a pattern of characters. A pattern can include single characters, ranges of characters, or both. A range of characters is expressed as two characters separated by a hyphen. The following are examples of valid character ranges: 0-9, a-z, and A-Z. The pattern parameter can also include characters that are reserved and have special meanings. The reserved characters are:
Character |
Meaning |
---|---|
? |
Matches any single character |
* |
Matches any sequence of characters, including one or none |
[set] |
Matches any single character in the specified set |
[!set] or [^set] |
Matches any single character not in the specified set |
\ |
Treats any reserved character as a regular character, such as \* |
NOT (operator)
(Optional) If the NOT operator is included, the function returns a new set containing only the elements that do not match the pattern.
The FILTER function returns a string of elements separated by the caret character: 'element1^element2'. Each element is a string.
Return_value=FILTER('Faith^Earl^Emilie^Fred', 'E*')
Return_value='Earl^Emilie'
Return_value=FILTER('Faith^Earl^Emilie^Fred', NOT 'E*')
Return_value='Faith^Fred'
The FIND function finds the specified instance of the search string in the source string and returns its position. If the search string is not found, then the function returns a zero.
The FIND function has the following format:
FIND(source_string, search_string[, not_case_sensitive][, n])
The FIND function accepts the following parameters:
source_string (string)
search_string (string)
not_case_sensitive (Boolean)
(Optional) Specifies case sensitivity. If the not_case_sensitive flag is omitted or set to FALSE, the function searches the source string for an exact match. If the not_case_sensitive flag is set to TRUE, the FIND function ignores case.
n (number)
(Optional) Specifies the instance of the search string in the source string. If n is set to zero or one or omitted, the function finds the first instance of the search string. Otherwise, the function finds the nth instance of the search string. If n is negative, the function begins the search at the end of the source string.
The FIND function returns a number.
Return_value=FIND('PhoebePhoebe', 'oe', FALSE, 1)
Return_value=3
Return_value=FIND('PhoebePhoebe', 'OE', FALSE, 1)
Return_value=0
Return_value=FIND('PhoebePhoebe', 'OE', TRUE, 1)
Return_value=3
Return_value=FIND('PhoebePhoebe', 'oe', FALSE, -1)
Return_value=9
Return_value=FIND('PhoebePhoebe', 'OE', FALSE, -1)
Return_value=0
Return_value=FIND('PhoebePhoebe', 'OE', TRUE, -1)
Return_value=9
Return_value=FIND('PhoebePhoebe', 'oe', FALSE, 2)
Return_value=9
Return_value=FIND('PhoebePhoebe', 'OE', FALSE, 2)
Return_value=0
Return_value=FIND('PhoebePhoebe', 'OE', TRUE, 2)
Return_value=9
The GET function locates the specified attribute or attributes in a user directory and returns the attribute values. Multiple attribute values are separated by the caret character. If the function cannot find an attribute, it returns an empty string.
The GET function has the following format:
GET(user_attribute_name | user_attributes_string)
The GET function accepts one of the following parameters:
user_attribute_name (unquoted string)
Specifies a single user attribute.
user_attributes_string (string)
Specifies a string of user attribute names separated by a character. The function uses this character to separate one attribute's values from another attribute's values in the resulting string.
The GET function returns a string.
Privileged: Yes
LDAP Only: Yes
Return_value=GET('sn,givenname')
Return_value='Finch,Robin'
The HEX function converts a decimal number to a hexadecimal number and returns it as a string.
The HEX function has the following format:
HEX(decimal_number)
The HEX function accepts the following parameter:
decimal_number (number)
The HEX function returns a string.
Return_value=HEX(16)
Return_value='10'
The HOUR function converts the specified date and time to an hour from 1 to 12.
The HOUR function has the following format:
HOUR(date_time)
The HOUR function accepts the following parameter:
date_time (number)
Specifies the date and time as the number of seconds that have passed since January 1, 1970. If date_time is not a valid representation of date and time, the function returns -1.
The HOUR function returns a number from 1 to 12.
The HOUR24 function converts the specified date and time to an hour from 0 to 23.
The HOUR24 function has the following format:
HOUR24(date_time)
The HOUR24 function accepts the following parameter:
date_time (number)
Specifies the date and time as the number of seconds that have passed since January 1, 1970. If date_time is not a valid representation of date and time, the function returns -1.
The HOUR24 function returns a number from 0 to 23.
The INFO function writes the string argument to the CA SiteMinder® Console Log as an INFO message.
The INFO function has the following format:
INFO(source_string)
The INFO function accepts the following parameter:
source_string (string)
The INFO function returns a Boolean, always TRUE.
Return_value=INFO("86% Complete")
Return_value=TRUE
The KEY function looks up the specified key name in the specified application section of the specified file and returns a key value. If the key, application, or file is not found, then the KEY function returns an empty string.
The KEY function has the following format:
KEY(filename, [application_name, ]key_name)
The KEY function accepts the following parameters:
filename (string)
Specifies the file. In the specified file, comment lines start with a semicolon, pound sign, or two forward slashes. Comment lines, blank lines, and leading and trailing spaces are ignored.
application_name (string)
(Optional) Specifies the name of the application section. In the specified file, application names are enclosed by square brackets and specify the beginning of an application section: [application_name]. Application names are case-sensitive.
key_name (string)
Specifies the name of the key. In the specified file, key names and values are enclosed by angle brackets and paired by an equal sign, one pair per line: <key_name>=<key_value>. Key names are case-sensitive.
The KEY function returns a string.
Privileged: Yes
LDAP Only: No
Return_value=KEY('application.dat', 'login user')
Return_value='key_value'
The LCASE function converts any uppercase letters in the specified string to lowercase.
The LCASE function has the following format:
LCASE(specified_string)
The LCASE function accepts the following parameter:
specified_string (string)
The LCASE function returns a string.
Return_value=LCASE('BARRED OWL')
Return_value='barred owl'
The LEFT function returns a specified number of characters of a string. If the string is shorter than the specified number of characters, the entire string is returned.
The LEFT function has the following format:
LEFT(source_string, length)
The LEFT function accepts the following parameters:
source_string (string)
length (number)
The LEFT function returns a string.
Return_value=LEFT('JuanJuan', 2)
Return_value='Ju'
Return_value=LEFT('JuanJuan', 10)
Return_value=('JuanJuan')
Return_value=LEFT('JuanJuan', 0)
Return_value=''
The LEN function returns the length of a string.
The LEN function has the following format:
LEN(source_string)
The LEN function accepts the following parameter:
source_string (string)
The function returns a number.
Return_value=LEN("JuanJuan")
Return_value=8
The LOG function writes the string argument to the specified file.
The LOG function has the following format:
LOG(filename, source_string)
The LOG function accepts the following parameters:
filename (string)
source_string (string)
The LOG function returns a Boolean, which is always TRUE.
Privileged: Yes
Return_value=LOG("auditlog.txt", "Accessing Realm XXX")
Return_value=TRUE
The LOOP function calls the virtual attribute once for each possible number in the loop, starting and ending at the specified values. If the step value is specified, the numbers are incremented by the step value. If the virtual attribute returns a non-blank value, the value is included in the resulting set.
The LOOP function has the following format:
LOOP(#virtual_user_attribute, start_value, end_value, [step,] )
The LOOP function accepts the following parameters:
#virtual_user_attribute (Named Expression)
Name of a defined virtual attribute. The virtual attribute can access the current loop counter by using a reference to %0.
start_value (number)
end_value (number)
step (number)
(Optional) The default is 1. Negative values are allowed.
The LOOP function returns a set.
For these examples assume the virtual user attribute is #Padset := LPAD(%0, 2)
Return_set=LOOP(#Padset ,1, 5) Return_set="001^002^003^004^005" Return_set=LOOP(#Padset ,1, 5, 2) Return_set="001^003^005" Return_set=LOOP(#Padset ,5, 1, -1) Return_set="005^004^003^002^001"
The LPAD function pads a source string on the left with the first character of the specified padding until the resulting string is the specified length.
The LPAD function has the following format:
LPAD(source_string, length[, padding])
The LPAD function accepts the following parameters:
source_string (string)
This parameter can also be a number; it is automatically converted to a string.
length (number)
The number of characters of the final string.
padding (string)
(Optional) If the padding is more than one character long, only the first character is used. If the padding is zero length, no padding is done. If the source is a string and padding omitted, a space is used for padding. If the source is a number and padding is omitted, a zero is used for padding.
The LPAD function returns a string.
Result_value=LPAD('Juan', 5)
Result_value=' Juan'
Result_value=LPAD('Juan', 5, 'X')
Result_value= 'XJuan'
Result_value=LPAD('Juan', 6, 'XY')
Result_value= 'XXJuan'
Result_value=LPAD(5, 2)
Result_value= '05'
Result_value=LPAD(5, 2, ' ')
Result_value=' 5'
The LTRIM function returns a string representing the source_string with any leading spaces removed.
The LTRIM function has the following format:
LTRIM(source_string)
The LTRIM function accepts the following parameter:
source_string (string)
The LTRIM function returns a string.
Return_value=LTRIM(' Juan ')
Return_value='Juan '
The MAX function returns the larger of two numeric arguments.
The MAX function has the following format:
MAX(int_1, int_2)
The MAX function accepts the following parameters:
int_1 (number)
int_2 (number)
The MAX function returns a number.
Return_value=MAX(-2, 4)
Return_value=4
You can write an expression that tests a condition and calls the function MAYBE if information needed for the test is missing or incomplete. When the expression evaluator encounters MAYBE, it tries to resolve the expression without the needed information. This is only possible when MAYBE is part of a compound expression.
For example, when the operator is AND and one operand is FALSE, the evaluator can determine that the result of the operation is FALSE. When one operand is TRUE and the other operand is undefined or both operands are undefined, the evaluator cannot determine the result of the operation. When both operands are TRUE, the result of the AND operation is TRUE.
AND Operator |
True |
False |
Undefined |
---|---|---|---|
True |
True |
False |
Indeterminate |
False |
False |
False |
False |
Undefined |
Indeterminate |
False |
Indeterminate |
Likewise, when the operator is OR and one operand is TRUE, the evaluator can determine that the result of the operation is TRUE. When one operand is FALSE and the other operand is undefined or both operands are undefined, the evaluator cannot determine the result of the operation. When both operands are FALSE, the result of the OR operation is FALSE.
OR Operator |
True |
False |
Undefined |
---|---|---|---|
True |
True |
True |
True |
False |
True |
False |
Indeterminate |
Undefined |
True |
Indeterminate |
Indeterminate |
If the evaluator cannot resolve the expression, it stops processing and the specified message is output to the console log or report depending on the context. MAYBE is typically called during role evaluation either in the context of a policy or report generation.
Typically, conditions depend on the time of day or an IP address or the value of a virtual user attribute (specified by the # sign), a user class (specified by the @ sign), a context variable (specified by the % sign), or a user attribute.
Note: In the case of LDAP user directories, the evaluator cannot determine whether a user attribute is defined.
The MAYBE function has the following format:
MAYBE(message)
The MAYBE function accepts the following parameter:
message (string)
Specifies the information that is missing and needed to evaluate a condition in an expression.
The MAYBE function does not return.
VEXIST(%ClientIP) ? #CheckIP : MAYBE('Client IP address is not defined.')
Message Output to the Console Log or Report: 'Client IP address is not defined.'
The MID function returns the characters of the source_string starting at the start position (numbered from one) up to the specified length. If no length is specified, the rest of the source_string (after the start position) is returned.
The MID function has the following format:
MID(source_string, start[,length])
The MID function accepts the following parameters:
source_string (string)
start (number)
length (number) (Optional)
The MID function returns a string.
Return_value=MID('JuanJuan', 2, 3)
Return_value='uan'
Return_value=MID('JuanJuan', 2)
Return_value='uanJuan'
The MIN function returns the lesser of two numeric arguments.
The MIN function has the following format:
MIN(int_1, int_2)
The MIN function accepts the following parameters:
int_1 (number)
int_2 (number)
The MIN function returns a number.
Return_value=MIN(-2, 4)
Return_value=-2
The MINUTE function returns the number representing the minute component for a specified date_time expressed in seconds since January 1, 1970.
The MINUTE function has the following format:
MINUTE(date_time)
The MINUTE function accepts the following parameter:
date_time (number)
The date in the number of seconds.
The MINUTE function returns a number between 0 and 59. If the date_time is invalid, MINUTE returns -1.
The MOD function returns the modulus (remainder) of the division of the first number by the second. If the second number is zero, zero is returned.
The MOD function has the following format:
MOD(int_1, int_2)
The MOD function accepts the following parameters:
int_1 (number)
The dividend of the division operation.
int_2 (number)
The divisor of the division operation.
The MOD function returns a number.
Return_value=MOD(3, 2)
Return_value=1
Return_value=MOD(6, 3)
Return_value =0
The MONTH function returns the number representing the month component for a specified date_time expressed in seconds since January1, 1970.
The MONTH function has the following format:
MONTH(date_time)
The MONTH function accepts the following parameter:
date_time (number)
The date represented in the number of seconds.
The MONTH function returns a number between 1 and 12. If the date_number is invalid, MONTH returns -1.
The NOTBITS function performs a bitwise NOT operation on a number.
The NOTBITS function has the following format:
NOTBITS(number)
The NOTBITS function accepts the following parameter:
number (number)
The NOTBITS function returns a number.
Return_value=NOTBITS(0)
Return_value=-1
Return_value=NOTBITS(1)
Return_value=-2
The NOW function returns a numeric value representing the number of seconds since January 1, 1970 at the time the function is invoked. The time is local to the current server system.
This value is computed at the beginning of operations in a specific expression. Multiple references to the NOW function within the same expression always have the same result.
The NOW function has the following format:
NOW()
The NOW function accepts no parameters.
The NOW function returns a number.
Return_value=NOW()
Return_value=1024804800
The NOWGMT function returns a numeric value representing the number of seconds since January 1, 1970 at the time the function is invoked. The time is in the Greenwich (ZULU) time zone.
This value is computed at the beginning of operations in a specific expression. Multiple references to the NOWGMT function within the same expression always have the same result.
The NOWGMT function has the following format:
NOWGMT()
The NOWGMT function accepts no parameters.
The NOWGMT function returns a number.
The NUMBER function converts its argument to a numeric value. Strings are converted up to the first non-digit. Booleans that have a value of TRUE are converted to 1; otherwise, they are converted to zero.
The NUMBER function has the following format:
NUMBER(source_string | bool_val)
The NUMBER function accepts either of the following parameters:
source_string (string)
bool_val (Boolean)
The NUMBER function returns a number.
Return_value=NUMBER('juan')
Return_value=0
Return_value=NUMBER('45juan')
Return_value=45
Return_value=NUMBER(TRUE)
Return_value=1
The ORBITS function performs a bitwise OR operation on its two arguments.
The ORBITS function has the following format:
ORBITS(int_1, int_2)
The ORBITS function accepts the following parameters:
int_1 (number)
int_2 (number)
The ORBITS function returns a number.
Result_value=ORBITS(6, 1)
Result_value=7
Result_value=ORBITS(7, 8)
Result_value=15
The PARENTDN function returns the next level up in the LDAP Directory Information Tree above the specified distinguished name (DN). If the specified DN is invalid, or is already at the top of the tree, a blank string is returned.
The PARENTDN function has the following format:
PARENTDN(source_string)
The PARENTDN function accepts the following parameters:
source_string (string)
The LPAP distinguished name (DN).
The PARENTDN function returns a string.
LDAP Only: Yes
Return_value=PARENTDN("uid=juan,o=NDS.com")
Return_value="o=NDS.com"
Return_value=PARENTDN("o=NDS.com")
Return_value=""
The PCASE function converts the specified string to proper case (initial capital letters).
The PCASE function has the following format:
PCASE(source_string)
The PCASE function accepts the following parameters:
source_string (string)
The PCASE function returns a string.
Return_value=PCASE("framingham, mass")
Return_value="Framingham, Mass")
The QS function retrieves items from the query string associated with the resource being accessed by the user when the expression is evaluated.
If no arguments are supplied to this function, the entire query string (and only the query string) is returned. The query string is returned unchanged.
If the string argument is supplied as a blank string (“”), then all of the arguments in the query string that are unnamed are returned. If multiple values exist, they are returned as a set.
If the string argument is supplied as a non-blank string, all of the arguments in the query string that are named with a matching name are returned. Case-sensitivity is controlled by the optional Boolean flag. If multiple values exist, they are returned as a set.
The QS function has the following format:
QS([input_string,][ not_case_sensitive])
The QS function accepts the following optional parameters:
input_string (string)
(Optional) Name of an argument in the query string.
not_case_sensitive (Boolean)
(Optional) If the not_case_sensitive flag is set to FALSE or omitted, the function searches the query string for an exact match. If the not_case_sensitive flag is set to TRUE, the function ignores case.
The QS function returns a string.
Assume this resource: http://myserver.com/index.jsp?Test=A&X&TEST=D&c&Dbg
Return_value=QS()
Return_value='Test=A&X&TEST=D&c&Dbg'
Return_value=QS("")
Return_value='X^c'
Return_value=QS("Test")
Return_value= 'A^D'
Return_value=QS("Test", false)
Return_value= 'A'
"Dbg" IN QS("")
Return_value=TRUE
The RDN function returns the first component of the specified LDAP Distinguished Name (DN). If the optional Boolean argument is TRUE (the default), the attribute name is removed and only the value is returned.
If the specified DN is invalid, a blank string is returned. This function does not call any LDAP server.
The RDN function has the following format:
RDN(DN_string[, remove_name])
The RDN function accepts the following parameters:
DN_string (string)
LDAP Distinguished Name
remove_name
(Optional) When set to TRUE (the default), the attribute name is removed from the returned string. When set to FALSE, the attribute is included in the returned string.
The RDN function returns a string.
LDAP Only: Yes
Return_value=RDN("uid=juan,o=NDS.com")
Return_value="juan"
Return_value=RDN("uid=juan,o=NDS.com", TRUE)
Return_value="juan"
Return_value=RDN("uid=juan,o=NDS.com", FALSE)
Return_value="uid=juan"
The RELATIONDN function compares the two specified LDAP distinguished names (DNs) and returns a string indicating the relationship between them.
If either of the two DNs is invalid, or the two DNs are completely unrelated, a blank string is returned.
If the two DNs are related, the difference in levels (of the Directory Information Tree) is returned as a string. If the first DN is the ancestor of the second, the number is positive. If the first DN is a descendent of the second, the number is negative. If the two DNs are equal or siblings, the return is 0 (indicating no levels).
Note: This function does not call any LDAP server functions.
The RELATIONDN function has the following format:
RELATIONDN(dn_1, dn_2)
The RELATIONDN function accepts the following parameters:
dn_1 (string)
dn_2 (string)
The RELATIONDN function returns a string.
LDAP Only: Yes
Return_value=RELATIONDN("uid=eric,o=NDS.com", "o=NDS.com")
Return_value="-1"
Return_value=RELATIONDN("o=NDS.com", "uid=eric,o=NDS.com")
Return_value="1"
Return_value=RELATIONDN("uid=dave,o=NDS.com", "uid=eric,o=NDS.com")
Return_value="0"
Return_value=RELATIONDN("uid=dave,o=XYZ.com", "uid=eric,o=NDS.com")
Return_value=""
The RIGHT function returns the specified number of characters from the end of a string. If the string is shorter than the number, the entire string is returned.
The RIGHT function has the following format:
RIGHT(source_string, length)
The RIGHT function accepts the following parameters:
source_string (string)
length (number)
Number of characters to extract, counting from the end of the string.
The RIGHT function returns a string.
Return_value=RIGHT('JuanJuan', 2)
Return_value='an'
Return_value=RIGHT('JuanJuan', 10)
Return_value='JuanJuan'
Return_value=RIGHT('JuanJuan', 0)
Return_value=''
The RPAD function adds the first character of the specified padding to the end of the string until the source string becomes the specified length.
If the padding is more than one character long, only the first character is used. If the padding is zero length, no padding is added.
If the source is a string, and the padding is not specified, a space is used for padding. If the source is a number and padding is not specified, a zero is used for padding.
The RPAD function has the following format:
RPAD(source_string|number, length[, padding])
The RPAD function accepts the following parameters:
source_string (string)
This parameter can be a number; it is converted to a string.
length (number)
padding (string)
(Optional)
The RPAD function returns a string.
Return_value=RPAD('Juan', 5)
Return_value='Juan '
Return_value=RPAD('Juan', 5, 'X')
Return_value='JuanX'
Return_value=RPAD('Juan', 6, 'XY')
Return_value='JuanXX'
Return_value=RPAD(5, 2)
Return_value='50'
Return_value=RPAD(5, 2, ' ')
Return_value='5 '
The RPT function returns a string that repeats a source string the specified number of times.
The RPT function has the following format:
RPT(source_string|number, repeat_count)
The RPT function accepts the following parameters:
source_string (string)
This parameter can be a number; it is converted to a single character.
repeat_count (string)
The RPT function returns a string.
Return_value=RPT('Juan', 3)
Return_value='JuanJuanJuan')
Return_value=RPT('*', 10)
Return_value="**********')
The RTRIM function eliminates trailing spaces from a source string and returns the result.
The RTRIM function has the following format:
RTRIM(source_string)
The RTRIM function accepts the following parameter:
source_string (string)
The RTRIM function returns a string.
Return_value=RTRIM(' JuanJuan ' )
Return_value=' JuanJuan'
The SECOND function returns a value that represents the seconds component of a date expressed as the number of seconds since January 1, 1970.
The SECOND function has the following format:
SECOND(date_time)
The SECOND function accepts the following parameter:
date_time (number)
The number of seconds.
The SECOND function returns a number from 0 to 59.
The SET function assigns a specified value to a specified attribute. Multiple values are specified for multi-valued attributes by a set. This function works for all User Directories supported by CA SiteMinder®.
The SET function returns TRUE if CA SiteMinder® returns success on the modification.
If the attribute is not visible to CA SiteMinder®, the function fails. The attribute may not be visible due to security reasons (security in the User Directory) or, in the case of ODBC directories, because it is not in the configured Query or not an attribute listed in the Set Properties setting of the CA SiteMinder® Query Scheme.
The SET function has the following format:
SET(attr_name, value)
The SET function accepts the following parameters:
attr_name (string)
value (string)
Specifies one or more values. Multiple values are separated by the caret character.
The SET function returns a Boolean.
Privileged: Yes
Return_value=SET("Retries", STRING(NUMBER(Retries) + 1))
The SIGN function accepts a number. If the number is negative, SIGN returns a negative one. If the number is zero, SIGN returns a zero. If the number is positive, SIGN returns a positive one.
The SIGN function has the following format:
SIGN(number)
The SIGN function accepts the following parameter:
number (number)
The SIGN function returns a number: -1, 0, or +1.
Return_value=SIGN(-40)
Return_value=-1
Return_value=SIGN(0)
Return_value=0
Return_value=SIGN(999)
Return_value=1
The SORT function sorts a specified set. Case sensitivity is specified by an optional Boolean parameter. Duplicate items are eliminated from the resulting set.
The SORT function has the following format:
SORT(source_set[, not_case_sensitive]
The SORT function accepts the following parameters:
source_set (string)
Set to be sorted.
not_case_sensitive (Boolean)
(Optional) If this parameter is omitted or set to FALSE, the sort treats entries as identical unless the cases are different. If this parameter is set to TRUE, the sort ignores case.
The SORT function returns a set.
Return_value=SORT("Eric^Bart^Chuck^BART^Chuck") Return_value="BART^Bart^Chuck^Eric"
Return_value=SORT("Eric^Bart^Chuck^BART^Chuck", FALSE) Return_value="BART^Bart^Chuck^Eric"
Return_value=SORT("Eric^Bart^Chuck^BART^Chuck", TRUE) Return_value="Bart^Chuck^Eric"
The SPACE function returns a string that consists of the specified number of spaces.
The SPACE function has the following format:
SPACE(repeat_count)
The SPACE function accepts the following parameters:
repeat_count (number)
The number of spaces to include in the string.
The SPACE function returns a string.
Return_value=SPACE(3) Return_value=' '
Return_value=SPACE(10) Return_value=" "
The STRING function converts a number or Boolean into a string value.
The STRING function has the following format:
STRING(num_value|bool_value)
The STRING function accepts either one of these parameters:
num_value (number)
bool_value (Boolean)
The STRING function returns a string.
Return_value=STRING(TRUEVAL)
Return_value="TRUE"
Return_value=STRING(123)
Return_value='123'
You can write an expression that tests for an error and if an error has occurred, calls THROW, passing a custom error message. When the expression evaluator encounters THROW, it stops processing the expression and outputs the custom error message to the console log.
The THROW function has the following format:
THROW(error_message)
The THROW function accepts the following parameter:
error_message (string)
Specifies the custom error message that is output to the console log.
The THROW function does not return.
EXISTS('MyFile') ? #Process('MyFile') : THROW('File does not exist.')
Message Output to the Console Log: 'File does not exist.'
VEXIST(#Sortname) ? #Sortname : THROW('Sortname is not defined.')
Message Output to the Console Log: 'Sortname is not defined.'
The TRACE function writes the string argument to the CA SiteMinder® Console Log as a trace entry.
The TRACE function has the following format:
TRACE(source_string)
The TRACE function accepts the following parameter:
source_string (string)
The TRACE function returns a Boolean, always TRUE.
Priviledged: Yes
Return_value=TRACE("Executing Code")
Return_value=TRUE
The TRANSLATE function replaces all occurrences of one string found within a second string with a third string. The search is case-sensitive unless the optional Boolean is set to TRUE.
The TRANSLATE function has the following format:
TRANSLATE(source_string, search_string, replace_string[, not_case_sensitive])
The TRANSLATE function accepts the following parameters:
source_string (string)
search_string (string)
replace_string (string)
not_case_sensitive (Boolean)
(Optional) If this parameter is not set or set to FALSE, case is considered in the search. If set to TRUE, case is ignored.
The TRANSLATE function returns a string.
Return_value=TRANSLATE('Eric','r','x')
Return_value='Exic'
Return_value=TRANSLATE('Eric','ri','x')
Return_value='Exc'
Return_value=TRANSLATE('Eric','r','xy')
Return_value='Exyic'
Return_value=TRANSLATE('Eric','R','x')
Return_value='Eric'
Return_value=TRANSLATE('Eric','R','x',TRUE)
Return_value= 'Exic'
The UCASE function converts the source string to upper case.
The UCASE function has the following format:
UCASE(source_string)
The UCASE function accepts the following parameter:
source_string (string)
The UCASE function returns a string.
Return_value=UCASE('framingham, mass')
Return_value='FRAMINGHAM, MASS'
The URL function parses the supplied URL (or path) and returns the specified component. This function ignores characters that are URL-encoded.
Note: The URL function only parses strings that use slashes, not backslashes. If you are using a system running Windows, use the TRANSLATE function to convert backslashes to slashes.
The URL function has the following format:
URL(url_string, component)
The URL function accepts the following parameters:
url_string (string)
The URL or path must be specified following this format:
[<protocol>:][//][<user>[:<password>]@]<server>[:<port#>] [[/<directory>]/[<file>]][?<querystring>]
component (string)
Component names are not case-sensitive. You can specify any of the following components:
The URL function returns a string.
Return_value=URL("http://www.myserver.com:8080/app1/xyzzy.jsp?id=12", "PROTOCOL")
Return_value="http:"
Return_value=URL("ftp://joe:dog@ftp.myserver.com/dir1/xyzzy.zip", "USER")
Return_value="joe"
Return_value=URL("ftp://joe:dog@ftp.myserver.com/dir1/xyzzy.zip", "PASSWORD")
Return_value="dog"
Return_value=URL("http://www.myserver.com:8080/app1/xyzzy.jsp?id=12", "SERVER")
Return_value="www.myserver.com"
Return_value=URL("http://www.myserver.com:8080/app1/xyzzy.jsp?id=12", "PORT")
Return_value="8080"
Return_value=URL("http://www.myserver.com:8080/app1/xyzzy.jsp?id=12", "DOMAIN")
Return_value="myserver.com"
Return_value=URL("ftp://joe:dog@ftp.myserver.com/dir1/xyzzy.zip", "URI")
Return_value="/dir1/xyzzy.zip"
Return_value=URL("ftp://joe:dog@ftp.myserver.com/dir1/xyzzy.zip", "PATH")
Return_value="/dir1/xyzzy.zip"
Return_value=URL("ftp://joe:dog@ftp.myserver.com/dir1/xyzzy.zip", "DIRECTORY")
Return_value="/dir1"
Return_value=URL("ftp://joe:dog@ftp.myserver.com/dir1/xyzzy.zip", "FILENAME")
Return_value="xyzzy.zip"
Return_value=URL("ftp://joe:dog@ftp.myserver.com/dir1/xyzzy.zip", "BASENAME")
Return_value="xyzzy"
Return_value=URL("ftp://joe:dog@ftp.myserver.com/dir1/xyzzy.zip", "EXTENSION")
Return_value="zip"
Return_value=URL("ftp://joe:dog@ftp.myserver.com/dir1/xyzzy.zip", "QUERYSTRING")
Return_value=""
Return_value=URL("http://www.myserver.com:8080/app1/xyzzy.jsp?id=12", "QUERYSTRING")
Return_value="id=12"
The URLDECODE function decodes the specified URL string.
The URLDECODE function has the following format:
URLDECODE(url)
The function accepts the following parameter:
url (string)
The URLDECODE function returns a string.
Return_value=URLDECODE("Framingham%2C+Mass")
Return_value="Framingham, Mass"
The URLENCODE function encodes the passed-in string to URL format.
The URLENCODE function has the following format:
URLENCODE(source_string)
The URLENCODE function accepts the following parameter:
source_string (string)
The URLENCODE function returns a string.
Return_value=URLENCODE('Framingham, Mass') Return_value='Waltham%2C+Mass'
The VEXIST function accepts a named expression, a context variable, or user attribute and determines whether it is defined. If defined, VEXIST returns TRUE. If not, VEXIST returns FALSE.
Note: In the case of LDAP user directories, CA SiteMinder® cannot determine whether a user attribute is defined and returns FALSE.
The VEXIST function has the following format:
VEXIST(#virtual_user_attribute | @user_class | %context_variable | user_attribute_name | user_attribute_string)
The VEXIST function accepts one of the following parameters:
#virtual_user_attribute (named expression)
Specifies a named expression that calculates a user attribute.
@user_class (named expression)
Specifies a named expression that tests for membership in a user directory or group.
%context_variable (context variable)
Specifies a context variable.
user_attribute_name (unquoted string)
Specifies a single user attribute.
user_attributes_string (string)
Specifies a string of user attribute names separated by a character.
The VEXIST function returns a Boolean.
Return_value=VEXIST(#Age)
Return_value=TRUE
Return_value=VEXIST(@IsDolphin)
Return_value=FALSE
Return_value=VEXIST(%ClientIP)
Return_value=TRUE
Return_value=VEXIST(givenname)
Return_value=FALSE
Return_value=VEXIST('last,first')
Return_value=TRUE
The WARNING function writes the string argument to the CA SiteMinder® Console Log as a warning message.
The WARNING function has the following format:
WARNING(source_string)
The WARNING function accepts the following parameter:
source_string (string)
The WARNING function returns a Boolean, always TRUE.
Return_value=WARNING("Buffer Full")
Return_value=TRUE
The XORBITS function performs a bitwise XOR operation on its two arguments.
The XORBITS function has the following format:
XORBITS(num_1,num_2)
The XORBITS function accepts the following parameters:
num_1 (number)
num_2 (number)
The XORBITS function returns a number.
Return_value=XORBITS(7, 2)
Return_value=5
Return_value=XORBITS(7, 15)
Return_value=8
The YEAR function returns a number that indicates the year component of a date in seconds since January 1, 1970.
The YEAR function has the following format:
YEAR(date_time)
The YEAR function accepts the following parameter:
date_time (number)
The date represented in seconds.
The YEAR function returns a number between 70 and 138.
The YEAR4 function returns the four-digit year component of a date expressed in seconds since January 1, 1970.
The YEAR4 function has the following format:
YEAR4(date_time)
The YEAR4 function accepts the following parameters:
date_time (number)
The YEAR4 function returns a returns a number between 1970 and 2038.
Copyright © 2013 CA.
All rights reserved.
|
|